Virus Labs & Distribution
VLAD #3 - VSUM denial

   VSUM denial time :)

   Well people, it seems we have made it into VSUM, all AVers only
   have one of our viruses it seems, the other seven or so never did
   make it into any scanners or reports, so now you know what sources
   to mess with ;)  As per usual with our articles which we have
   something to say in I'm going to write comments in square brackets
   in the article.

   Virus Name:  Incest
   [when will all you AV fucks get it right?  there are four viruses
   , each was published in VLAD#1 which you must have read!  Each a
   member of the Incest family, therefore this virus should be called
   Incest.Daddy!  the other three being Incest.Mummy, Incest.Brother
   and Incest.Sister.]

   [how true, no aliases]
   V Status:    New
   Discovered:  September, 1994
   Symptoms:    .COM & .EXE growth; DOS CHKDSK file allocation errors;
                decrease in total system & available free memory;
                file time changes
   Origin:      Queensland, Australia
   [ah well, now you know where the magazine was first released ;) ]
   Eff Length:  1,117 Bytes
   Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector
   Detection Method:
   [well it is detected by F-Prot and TBAV, but patti is too cool for
   these heuristic scanners]
   Removal Instructions:  Delete infected files
   [haha how true, I know that tbclean won't remove it, not sure about
   f-prot though, i doubt it]

   General Comments:
   The Incest virus was submitted in September, 1994, after its isolation
   in Australia.  Incest is a memory resident stealth-type virus which
   infects .COM and .EXE programs, including COMMAND.COM.
   [what's this isolation shit?  are these people thinking the virus
   didn't get anywhere past Queensland?  hmm interesting! :) ]

   When the first Incest infected program is executed, this virus will
   install itself memory resident at the top of system memory but below
   the 640K DOS boundary, not moving interrupt 12's return.  Total system
   and available free memory will have decreased by 2,400 bytes, and
   interrupt 21 will be hooked by the virus is memory.

   Once the Incest virus is memory resident, it will infect .COM and .EXE
   programs, including COMMAND.COM, when they are executed, opened, or
   copied.  Infected programs will have a file length increase of 1,117
   bytes, though the file length increase will be hidden when the virus
   is memory resident.  The virus will be located at the end of the file.
   The file's date in the DOS disk directory listing will not be altered,
   however, the time field will have been altered.  The following text
   strings are encrypted within the viral code:
   [if I remember correctly Incest.Daddy changes the seconds on files
   to 62 to check for infection (i might be wrong since I didn't write
   it hehe)]

           "[Incest Daddy] by VLAD - Brisbane, OZ"
           [well we had to say it was from somewhere didn't we,
           and naturally Brisbane came to mind]

   This virus interfers with the Microsoft Anti-Virus and Central
   Point Anti-Virus programs, deleting the above indicated files which
   the programs require in order to be able to detect viral infections.
   [I believe that's spelt "interferes" patti, but hey I'll let it go,
   yeah you're right it messes with those, and tbscan but you wouldn't
   mention that would you ;)]

   All in all the article is pretty much correct, although there are
   two versions of the Incest.Daddy virus (as noted by F-Prot).  It's
   obvious she hasn't read vlad#1 or I'm sure she would've mentioned
   about the reason *why* it's called the Incest family.

   Ah well, VSUM is in general full of shit.. but this is ok.  It just
   fucks me off that every single piece of AV bullshit has named our
   virus (they all only have Incest.Daddy!!) wrong, they obviously don't
   know how to read a magazine, any of them could get their hands on
   it if they really wanted to.

   When it comes down to it, we're lucky these people are doing their
   job badly.  It gives us a better chance of further infection, and
   a virus with more names might get more attention :) hehe I dunno,
   a pretty rooted theory but hey.. this is a magazine, I have to
   crap on about something :) heheheh




ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag


The Press
ARTICLE.2_2       Fooling TBScan
ARTICLE.2_3       Backdoors
ARTICLE.2_4       Tracing Int21
ARTICLE.2_5       Replication
ARTICLE.2_6       VSUM denial
ARTICLE.2_7       Proview


TBTSR Checking
ARTICLE.3_2       TBScan Flags
ARTICLE.3_3       HD Port Reading
ARTICLE.3_4       HD Port Writing
ARTICLE.3_5       TBAV Monitor
ARTICLE.3_6       Micro128 Disasm
ARTICLE.3_7       Aust403 Disasm


Virus Descriptions
ARTICLE.4_2       Hemlock
ARTICLE.4_3       Antipode
ARTICLE.4_4       Insert
ARTICLE.4_6       Quantum Magick
ARTICLE.4_7       Mon Ami La Pendule


ARTICLE.5_2       Small Virus
ARTICLE.5_3       Catch-22
ARTICLE.5_4       ART Engine
ARTICLE.5_5       Megastealth
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main